CanvasMesh Privacy Policy
This Privacy Policy describes how CanvasMesh (“we”, “us”) collects, uses, shares, and protects personal information. It applies to all users of CanvasMesh services.
We act as:
- Data controller for account data, billing, and service operations
- Data processor for content you upload (you remain the controller of your Content)
1. Information We Collect
1.1 Information you provide
Account information:
- Email address
- Name and profile picture (from your identity provider)
- Account preferences
- Age confirmation (a one-time checkbox confirming you are at least 16; we do not store your date of birth)
Payment information:
- We do NOT store credit card numbers. Payment is processed by Stripe.
- We receive transaction metadata: amount, status, last-4 digits, billing country.
Content:
- Files you upload
- Canvases, spaces, comments, annotations you create
- Metadata you provide (titles, descriptions, tags)
Communications:
- Support requests
- Feedback
1.2 Information collected automatically
Technical data:
- IP address (truncated or hashed for most uses; see Section 5)
- Browser type, operating system, device identifiers
- Referrer URLs
- Language preference
Usage data:
- Actions taken (uploads, views, shares)
- Error reports, performance metrics
- Feature usage analytics
Cookies and similar technologies:
- Session cookies (authentication)
- Preference cookies (theme, locale)
- No third-party advertising cookies
See Section 7 for details.
1.3 Information from third parties
Identity provider (Google): When you sign in, we receive the scopes you approve (typically email, name, avatar).
Third-party renderers: Renderer authors may collect usage data from within their renderer, subject to the permissions you grant. We are not responsible for their practices; review their policies.
2. How We Use Information
2.1 To provide the Service
- Authenticate you and manage your account
- Store and render your Content
- Deliver emails (account, notifications, security)
- Process payments
2.2 To improve the Service
- Analyze usage patterns
- Debug errors and performance issues
- Develop new features
2.3 To communicate
- Service updates
- Security alerts
- Billing notifications
- Responses to support inquiries
- Marketing (with opt-out; see Section 6.3)
2.4 To ensure safety and compliance
- Detect abuse, fraud, and security threats
- Moderate content that may violate our Terms
- Comply with legal obligations, respond to legal requests
2.5 What we do NOT do
- Sell your personal information
- Use your Content to train generative AI models (unless you opt in)
- Share Content with advertisers
- Scan Content beyond what is necessary for abuse detection and service operation
3. Legal Bases (GDPR / UK GDPR)
If you are in the EU, UK, or other jurisdictions with similar laws, we process your data under these legal bases:
| Purpose | Legal basis |
|---|---|
| Provide the Service you signed up for | Contract (Art. 6(1)(b)) |
| Billing | Contract + Legal obligation |
| Service improvement, analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-out anytime |
| Fraud/abuse prevention | Legitimate interest + Legal obligation |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
4. Sharing and Disclosure
We share information with:
4.1 Service providers (sub-processors)
These companies help us operate the Service. They receive only the data needed for their function and are bound by confidentiality:
| Provider | Purpose | Data |
|---|---|---|
| Cloudflare | Hosting, CDN, file storage (R2), edge compute (Workers) | Content, IP addresses, request metadata |
| Stripe | Payment processing | Billing data (not stored by us) |
| OAuth sign-in | Login tokens, profile data |
Additional providers (for transactional email, analytics, and error monitoring) are added as the Service grows; a current list is published at canvasmesh.app/sub-processors prior to public launch.
4.2 Other users
Content you share or publish is accessible to those you share it with, according to your sharing settings.
4.3 Legal compliance
We may disclose information when legally required (subpoenas, court orders, government requests), always within the bounds of applicable law.
4.4 Business transfers
If CanvasMesh is acquired, merged, or dissolved, your information may be transferred to the successor, subject to equivalent privacy protections.
4.5 With your consent
We may share information in other ways with your explicit consent.
5. Data Retention
| Data type | Retention |
|---|---|
| Account information | Until account deletion + 30 days |
| Content (persistent files) | Until you delete it, or 90 days after last account activity |
| Content (temporary files) | 24 hours, then hard-deleted |
| Billing records | 7 years (legal requirement in most jurisdictions) |
| Usage logs | 90 days |
| Error logs | 30 days |
| Backups | Up to 30 days after deletion in production |
| IP address (raw) | Truncated or hashed within 30 days |
| Abuse reports | As long as necessary for safety investigations |
6. Your Rights
Depending on your jurisdiction, you may have the following rights. We honor these for all users globally where practical.
6.1 Universal rights
- Access: See what data we hold about you
- Correction: Fix inaccurate data
- Deletion: Request we delete your data (“right to erasure”)
- Export: Receive your data in a portable format
- Withdraw consent: For processing based on consent
6.2 EU/UK/EEA rights (GDPR)
In addition to the above:
- Restriction: Limit processing in certain cases
- Objection: Object to processing based on legitimate interest
- No automated decisions: Not be subject to solely automated decisions with legal effect (we don’t do this)
- Lodge complaint: With your local Data Protection Authority
6.3 California rights (CCPA/CPRA)
- Know: What data we collect, sources, purposes, third parties
- Delete: Request deletion
- Correct: Request correction
- Opt out of “sale” or “sharing”: We do not sell your data. If we did, you could opt out.
- Limit use of sensitive personal information: We don’t use SPI beyond what’s necessary for the Service.
- Non-discrimination: Exercising your rights won’t affect service
6.4 Other jurisdictions
Residents of other regions (Virginia, Colorado, Brazil, etc.) have similar rights under local law. Contact us at support@canvasmesh.app to exercise any right.
6.5 How to exercise your rights
- Access, export, deletion: Available in account settings
- Other requests: Email support@canvasmesh.app
- We respond within 30 days (may extend with notice for complex cases)
- We may verify your identity before fulfilling requests
7. Cookies and Tracking
We use:
Essential cookies (cannot be disabled):
- Authentication session
- CSRF tokens
- Load balancing
Functional cookies:
- UI preferences (theme, language)
- Dismissed notifications
Analytics cookies (opt-out available):
- Page views
- Feature usage
- Performance metrics
No advertising cookies. We do not use third-party advertising or cross-site tracking cookies.
You can manage cookies in your browser settings. Some features may not work without essential cookies.
8. International Data Transfers
CanvasMesh operates globally. Your data may be processed in countries other than your own, including the United States, where Cloudflare’s infrastructure is primarily located.
For EU/UK users, we rely on:
- Standard Contractual Clauses (SCCs) with sub-processors in the US
- Adequacy decisions where applicable
- Technical safeguards (encryption in transit and at rest)
You can contact us for copies of safeguard agreements.
9. Security
We take security seriously:
- Encryption: TLS 1.2+ in transit; at-rest encryption on R2 storage
- Access control: Team members access user data only as necessary; activity is logged
- Sandbox: Renderers run in isolated iframes on separate domains (see our security documentation)
- Incident response: We will notify affected users without undue delay in case of a breach, as required by law (within 72 hours of awareness for GDPR-covered incidents)
- Bug bounty: Report security issues to support@canvasmesh.app; we commit to good-faith engagement
No system is 100% secure. We cannot guarantee absolute security.
10. Age Requirement
The Service is not available to users under 16 years of age.
When creating an account, you confirm that you are at least 16. We do not collect date of birth.
If you are a parent or guardian and believe a user under 16 has created an account, contact us at support@canvasmesh.app and we will investigate and delete the account if verified.
For users aged 16-17, we apply the same privacy protections as all other users.
11. Third-Party Renderers
Third-party renderers may process data within your browser when you use them. They do not automatically receive your account information, but may:
- See the content of files you render with them (required for rendering)
- Receive permissions you grant (e.g., network access, storage)
- Collect aggregate usage statistics (if you grant telemetry permission)
CanvasMesh is not responsible for renderer authors’ practices. Review the renderer’s information before granting permissions.
12. AI and Machine Learning
What we do:
- Automated content scanning for abuse detection (e.g., CSAM, malware)
- Automated rendering quality checks for official renderers
What we do NOT do:
- Train generative AI models on your Content (without explicit opt-in consent)
- Use your private Content to generate insights for other users
- Share your Content with AI providers for training
13. Links to Third Parties
The Service may contain links to third-party websites (e.g., in shared spaces, custom domains, or renderer documentation). This policy does not apply to third-party sites.
14. Do Not Track Signals
Some browsers send “Do Not Track” signals. There is no universal standard for responding to these. We treat all users according to this Privacy Policy regardless of DNT signals. Analytics opt-out is available in account settings.
15. Changes to This Policy
We may update this Privacy Policy. Material changes will be notified via:
- Email to your registered address
- Banner in the Service
- At least 30 days’ notice before taking effect
Continued use of the Service after the effective date constitutes acceptance.
16. Contact
- General: support@canvasmesh.app
Complaints
If you are not satisfied with our response, EU users may lodge a complaint with their local data protection authority (edpb.europa.eu). UK users may contact the ICO.